Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

format the repo files

Browse Source
This commit is contained in:
Kabbone
2026-04-26 10:27:50 +02:00
parent 92fd97c9a2
commit b319cd93e9
116 changed files with 4726 additions and 4247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
modules/services/dmz/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix *
# └─ ...
#
[
./microvm.nix
# ./hydra.nix
# ./hydra.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

113
modules/services/dmz/gitea_runner.nix
View File

@@ -1,60 +1,63 @@
{ lib, config, pkgs, ... }:
{
virtualisation = {
podman ={
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = [ "192.168.101.1" ];
#containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
lib,
config,
pkgs,
...
}: {
virtualisation = {
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = ["192.168.101.1"];
#containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
};
};
services.gitea-actions-runner.instances = {
homerunner = {
enable = true;
url = "https://git.kabtop.de";
name = "Homerunner";
tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
labels = [
"home"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
services.gitea-actions-runner.instances = {
homerunner = {
enable = true;
url = "https://git.kabtop.de";
name = "Homerunner";
tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
labels = [
"home"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
age.secrets."services/gitea/homerunner-token" = {
file = ../../../secrets/services/gitea/homerunner-token.age;
owner = "gitea-runner";
};
age.secrets."services/gitea/homerunner-token" = {
file = ../../../secrets/services/gitea/homerunner-token.age;
owner = "gitea-runner";
};
}

159
modules/services/dmz/hydra.nix
View File

@@ -1,91 +1,92 @@
{ lib, config, pkgs, ... }:
{
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.home.opel-online.de";
listenHost = "127.0.0.1";
notificationSender = "hydra@localhost";
useSubstitutes = true;
minimumDiskFree = 30;
};
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"home.opel-online.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
lib,
config,
pkgs,
...
}: {
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.home.opel-online.de";
listenHost = "127.0.0.1";
notificationSender = "hydra@localhost";
useSubstitutes = true;
minimumDiskFree = 30;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@opel-online.de";
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"home.opel-online.de" = {
domain = "*.home.opel-online.de";
dnsProvider = "netcup";
environmentFile = config.age.secrets."services/acme/opel-online".path;
webroot = null;
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
nix = {
settings = {
trusted-users = [
"hydra"
];
allowed-uris = "http:// https://";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@opel-online.de";
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
"home.opel-online.de" = {
domain = "*.home.opel-online.de";
dnsProvider = "netcup";
environmentFile = config.age.secrets."services/acme/opel-online".path;
webroot = null;
};
};
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
nix = {
settings = {
trusted-users = [
"hydra"
];
allowed-uris = "http:// https://";
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
}

120
modules/services/dmz/microvm.nix
View File

@@ -1,48 +1,55 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = {
autostart = [
name
];
vms = {
${name} = {
inherit pkgs;
config = {
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
[( ./gitea_runner.nix )];
imports =
[agenix.nixosModules.default]
++ [impermanence.nixosModules.impermanence]
++ [(./gitea_runner.nix)];
networking = {
hostName = "${name}";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
};
users.users.${user} = { # System User
users.users.${user} = {
# System User
isNormalUser = true;
extraGroups = [ "wheel" ];
extraGroups = ["wheel"];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
enable = true;
settings.PasswordAuthentication = false;
hostKeys = [
{
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
}
];
};
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = {
systemPackages = with pkgs; [ # Default packages install system-wide
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
systemPackages = with pkgs; [
# Default packages install system-wide
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
persistence."/persist" = {
directories = [
@@ -100,27 +109,30 @@ in
vcpu = 4;
mem = 4096;
interfaces = [
{
type = "macvtap";
id = "vm-${name}";
mac = "04:00:00:00:00:01";
macvtap = {
{
type = "macvtap";
id = "vm-${name}";
mac = "04:00:00:00:00:01";
macvtap = {
link = "ens18";
mode = "bridge";
};
} ];
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
};
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}
];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};

5
modules/services/kabtopci/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix *
# └─ ...
#
[
# ./microvm.nix
# ./microvm.nix
./hydra.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

111
modules/services/kabtopci/gitea_runner.nix
View File

@@ -1,59 +1,62 @@
{ lib, config, pkgs, ... }:
{
virtualisation = {
podman ={
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
lib,
config,
pkgs,
...
}: {
virtualisation = {
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
};
};
services.gitea-actions-runner.instances = {
cirunner = {
enable = true;
url = "https://git.kabtop.de";
name = "CI Kabtop runner";
tokenFile = config.age.secrets."services/gitea/cirunner-token".path;
labels = [
"ci"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
services.gitea-actions-runner.instances = {
cirunner = {
enable = true;
url = "https://git.kabtop.de";
name = "CI Kabtop runner";
tokenFile = config.age.secrets."services/gitea/cirunner-token".path;
labels = [
"ci"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
age.secrets."services/gitea/cirunner-token" = {
file = ../../../secrets/services/gitea/cirunner-token.age;
owner = "gitea-runner";
};
age.secrets."services/gitea/cirunner-token" = {
file = ../../../secrets/services/gitea/cirunner-token.age;
owner = "gitea-runner";
};
}

144
modules/services/kabtopci/hydra.nix
View File

@@ -1,82 +1,84 @@
{ lib, config, pkgs, ... }:
{
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.ci.kabtop.de";
listenHost = "127.0.0.1";
notificationSender = "hydra@kabtop.de";
useSubstitutes = true;
minimumDiskFree = 8;
};
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
lib,
config,
pkgs,
...
}: {
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.ci.kabtop.de";
listenHost = "127.0.0.1";
notificationSender = "hydra@kabtop.de";
useSubstitutes = true;
minimumDiskFree = 8;
};
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@kabtop.de";
webroot = "/var/lib/acme/acme-challenge";
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@kabtop.de";
webroot = "/var/lib/acme/acme-challenge";
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
nix = {
settings = {
trusted-users = [
"hydra"
];
allowed-uris = [
"github:"
"https://github.com/"
"git+ssh://github.com/"
];
};
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
nix = {
settings = {
trusted-users = [
"hydra"
];
allowed-uris = [
"github:"
"https://github.com/"
"git+ssh://github.com/"
];
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
}

116
modules/services/kabtopci/microvm.nix
View File

@@ -1,48 +1,55 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = {
autostart = [
name
];
vms = {
${name} = {
inherit pkgs;
config = {
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
[( ./gitea_runner.nix )];
imports =
[agenix.nixosModules.default]
++ [impermanence.nixosModules.impermanence]
++ [(./gitea_runner.nix)];
networking = {
hostName = "${name}";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
};
users.users.${user} = { # System User
users.users.${user} = {
# System User
isNormalUser = true;
extraGroups = [ "wheel" ];
extraGroups = ["wheel"];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
enable = true;
settings.PasswordAuthentication = false;
hostKeys = [
{
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
}
];
};
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = {
systemPackages = with pkgs; [ # Default packages install system-wide
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
systemPackages = with pkgs; [
# Default packages install system-wide
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
persistence."/persist" = {
directories = [
@@ -100,23 +109,26 @@ in
mem = 3096;
#kernel = pkgs.linuxKernel.packages.linux_latest;
interfaces = [
{
type = "user";
id = "vm-${name}";
mac = "04:00:00:00:00:02";
} ];
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
{
type = "user";
id = "vm-${name}";
mac = "04:00:00:00:00:02";
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}
];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};

12
modules/services/keyring.nix
View File

@@ -1,14 +1,16 @@
#
# Screenshots
#
{ pkgs, user, ... }:
{
services = { # sxhkd shortcut = Printscreen button (Print)
pkgs,
user,
...
}: {
services = {
# sxhkd shortcut = Printscreen button (Print)
gnome-keyring = {
enable = true;
};
};
home.packages = with pkgs; [ gcr seahorse ];
home.packages = with pkgs; [gcr seahorse];
}

7
modules/services/kubemaster/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix *
# └─ ...
#
[
# ./microvm.nix
# ./hydra.nix
# ./microvm.nix
# ./hydra.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

3
modules/services/nas/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./nfs.nix
./nginx.nix
@@ -17,6 +16,6 @@
./syncthing.nix
./paperless.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

23
modules/services/nas/nfs.nix
View File

@@ -1,18 +1,23 @@
{config, pkgs, lib, ...}: {
{
config,
pkgs,
lib,
...
}: {
# enable nfs
services.nfs.server = rec {
enable = true;
exports = ''
/export 192.168.2.0/24(rw,fsid=0,no_subtree_check)
/export/Pluto 192.168.2.0/24(rw,no_subtree_check)
/export/Mars 192.168.2.0/24(rw,no_subtree_check)
'';
createMountPoints = true;
enable = true;
exports = ''
/export 192.168.2.0/24(rw,fsid=0,no_subtree_check)
/export/Pluto 192.168.2.0/24(rw,no_subtree_check)
/export/Mars 192.168.2.0/24(rw,no_subtree_check)
'';
createMountPoints = true;
};
# open the firewall
networking.firewall = {
interfaces.ens18 = {
allowedTCPPorts = [ 2049 ];
allowedTCPPorts = [2049];
};
};
}

18
modules/services/nas/nginx.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
@@ -56,13 +58,12 @@
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@opel-online.de";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
@@ -75,17 +76,16 @@
};
};
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/mnt/Pluto/nix-cache" ];
systemd.services.nginx.serviceConfig.ReadWritePaths = ["/mnt/Pluto/nix-cache"];
networking.firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
}

15
modules/services/nas/paperless.nix
View File

@@ -1,15 +1,17 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.paperless = {
enable = true;
domain = "paperless.home.opel-online.de";
passwordFile = config.age.secrets."services/paperless/pwFile".path;
# environmentFile = config.age.secrets."services/paperless/environment".path;
# environmentFile = config.age.secrets."services/paperless/environment".path;
configureTika = true;
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
@@ -31,8 +33,7 @@
};
age.secrets."services/paperless/pwFile" = {
file = ../../../secrets/services/paperless/pwFile.age;
owner = "paperless";
file = ../../../secrets/services/paperless/pwFile.age;
owner = "paperless";
};
}

42
modules/services/nas/syncthing.nix
View File

@@ -1,29 +1,32 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.syncthing = {
enable = true;
group = "users";
user = "kabbone";
dataDir = "/home/${config.services.syncthing.user}/Sync";
configDir = "/home/${config.services.syncthing.user}/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
openDefaultPorts = true;
settings = {
devices = {
"hades.home.opel-online.de" = { id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA"; };
"lifebook.home.opel-online.de" = { id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4"; };
"hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
"lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
};
folders = {
"Sync" = { # Name of folder in Syncthing, also the folder ID
path = "/mnt/Mars/${config.services.syncthing.user}/Sync"; # Which folder to add to Syncthing
devices = [ "hades.home.opel-online.de" "lifebook.home.opel-online.de" ]; # Which devices to share the folder with
ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
"Sync" = {
# Name of folder in Syncthing, also the folder ID
path = "/mnt/Mars/${config.services.syncthing.user}/Sync"; # Which folder to add to Syncthing
devices = ["hades.home.opel-online.de" "lifebook.home.opel-online.de"]; # Which devices to share the folder with
ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
};
};
};
@@ -35,19 +38,18 @@
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/" = {
recommendedProxySettings = false;
proxyPass = "http://${toString config.services.syncthing.guiAddress}";
recommendedProxySettings = false;
proxyPass = "http://${toString config.services.syncthing.guiAddress}";
extraConfig = ''
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
};
};
};
};
}

13
modules/services/nas/vaultwarden.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
@@ -31,8 +33,7 @@
};
age.secrets."services/vaultwarden/environment" = {
file = ../../../secrets/services/vaultwarden/environment.age;
owner = "vaultwarden";
file = ../../../secrets/services/vaultwarden/environment.age;
owner = "vaultwarden";
};
}

5
modules/services/nasbackup/default.nix
View File

@@ -9,10 +9,9 @@
# └─ default.nix *
# └─ ...
#
[
# ./nfs.nix
# ./nfs.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

3
modules/services/printer/default.nix
View File

@@ -9,10 +9,9 @@
# └─ default.nix *
# └─ ...
#
[
./klipper.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

192
modules/services/printer/klipper.nix
View File

@@ -1,101 +1,103 @@
{ lib, config, pkgs, ... }:
{
environment = {
systemPackages = with pkgs; [
klipperscreen
];
lib,
config,
pkgs,
...
}: {
environment = {
systemPackages = with pkgs; [
klipperscreen
];
};
services = {
klipper = {
enable = true;
user = "moonraker";
group = "moonraker";
configFile = ./printer.cfg;
mutableConfig = true;
configDir = "/var/lib/moonraker/config";
firmwares."sovol06" = {
serial = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
enableKlipperFlash = true;
enable = true;
configFile = ./firmware.conf;
};
};
services = {
klipper = {
enable = true;
user = "moonraker";
group = "moonraker";
configFile = ./printer.cfg;
mutableConfig = true;
configDir = "/var/lib/moonraker/config";
firmwares."sovol06" = {
serial = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
enableKlipperFlash = true;
enable = true;
configFile = ./firmware.conf;
};
mainsail = {
enable = true;
nginx = {
enableACME = false;
#useACMEHost = "home.opel-online.de";
serverName = "nbf5.home.opel-online.de";
#onlySSL = true;
#listenAddresses = [ "0.0.0.0" "::" ];
#forceSSL = true;
};
mainsail = {
enable = true;
nginx = {
enableACME = false;
#useACMEHost = "home.opel-online.de";
serverName = "nbf5.home.opel-online.de";
#onlySSL = true;
#listenAddresses = [ "0.0.0.0" "::" ];
#forceSSL = true;
};
};
moonraker = {
enable = true;
allowSystemControl = true;
address = "0.0.0.0";
settings = {
authorization = {
force_logins = true;
cors_domains = [
"*://nbf5.home.opel-online.de"
"*.local"
];
trusted_clients = [
"127.0.0.0/8"
"192.168.2.0/24"
];
};
file_manager = {
enable_object_processing = true;
};
};
};
# nginx = {
# enable = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# virtualHosts = {
# "ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# default = true;
# locations."/".return = "503";
# };
# "hydra.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3000";
# extraConfig = ''
# proxy_set_header X-Forwarded-Port 443;
# '';
# };
# };
# "cache.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# };
# };
# };
# };
#
# security.acme = {
# acceptTerms = true;
# defaults = {
# email = "webmaster@kabtop.de";
# webroot = "/var/lib/acme/acme-challenge";
# #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# };
};
moonraker = {
enable = true;
allowSystemControl = true;
address = "0.0.0.0";
settings = {
authorization = {
force_logins = true;
cors_domains = [
"*://nbf5.home.opel-online.de"
"*.local"
];
trusted_clients = [
"127.0.0.0/8"
"192.168.2.0/24"
];
};
file_manager = {
enable_object_processing = true;
};
};
};
# nginx = {
# enable = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# virtualHosts = {
# "ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# default = true;
# locations."/".return = "503";
# };
# "hydra.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3000";
# extraConfig = ''
# proxy_set_header X-Forwarded-Port 443;
# '';
# };
# };
# "cache.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# };
# };
# };
# };
#
# security.acme = {
# acceptTerms = true;
# defaults = {
# email = "webmaster@kabtop.de";
# webroot = "/var/lib/acme/acme-challenge";
# #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# };
};
}

16
modules/services/printer/nginx.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
@@ -20,13 +22,12 @@
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@opel-online.de";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
@@ -41,13 +42,12 @@
networking.firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
}

32
modules/services/server/coturn.nix
View File

@@ -1,4 +1,9 @@
{config, pkgs, lib, ...}: {
{
config,
pkgs,
lib,
...
}: {
# enable coturn
services.coturn = rec {
enable = true;
@@ -43,21 +48,24 @@
# open the firewall
networking.firewall = {
interfaces.ens18 = let
range = with config.services.coturn; [ {
from = min-port;
to = max-port;
} ];
in
{
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedUDPPorts = [3478];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 5349 ];
allowedTCPPorts = [3478 5349];
};
};
# get a certificate
security.acme.certs.${config.services.coturn.realm} = {
/* insert here the right configuration to obtain a certificate */
/*
insert here the right configuration to obtain a certificate
*/
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
@@ -67,7 +75,7 @@
#};
age.secrets."services/coturn/static-auth" = {
file = ../../../secrets/services/coturn/static-auth.age;
owner = "turnserver";
file = ../../../secrets/services/coturn/static-auth.age;
owner = "turnserver";
};
}

5
modules/services/server/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./postgresql.nix
./gitea.nix
@@ -19,8 +18,8 @@
./coturn.nix
./hydra.nix
./mealie.nix
# ./ollama.nix
# ./ollama.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

114
modules/services/server/gitea.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.gitea = {
enable = true;
dump.enable = false;
@@ -19,56 +21,56 @@
appName = "Kabtop Git";
mailerPasswordFile = config.age.secrets."services/gitea/mailerPassword".path;
settings = {
server = {
ROOT_URL = "https://git.kabtop.de";
HTTP_ADDR = "localhost";
DOMAIN = "git.kabtop.de";
SSH_PORT = 2220;
ENABLE_GZIP = true;
LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true;
};
security = {
MIN_PASSWORD_LENGTH = 12;
PASSWORD_CHECK_PWN = true;
PASSWORD_HASH_ALGO = "argon2";
};
# oauth2 = {
# ENABLE = true;
# #JWT_SECRET = "secret123";
# };
repository = {
MAX_CREATION_LIMIT = 100;
};
ui = {
SHOW_USER_EMAIL = false;
DEFAULT_THEME = "gitea-dark";
};
# openid = {
# ENABLE_OPENID_SIGNIN = true;
# WHITELISTED_URIS = "https://auth.kabtop.de";
# };
# oauth2_client = {
# ENABLE_AUTO_REGISTRATION = true;
# };
time = {
DEFAULT_UI_LOCATION = "Europe/Berlin";
};
other = {
SHOW_FOOTER_VERSION = false;
};
server = {
ROOT_URL = "https://git.kabtop.de";
HTTP_ADDR = "localhost";
DOMAIN = "git.kabtop.de";
SSH_PORT = 2220;
ENABLE_GZIP = true;
LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true;
};
security = {
MIN_PASSWORD_LENGTH = 12;
PASSWORD_CHECK_PWN = true;
PASSWORD_HASH_ALGO = "argon2";
};
# oauth2 = {
# ENABLE = true;
# #JWT_SECRET = "secret123";
# };
repository = {
MAX_CREATION_LIMIT = 100;
};
ui = {
SHOW_USER_EMAIL = false;
DEFAULT_THEME = "gitea-dark";
};
# openid = {
# ENABLE_OPENID_SIGNIN = true;
# WHITELISTED_URIS = "https://auth.kabtop.de";
# };
# oauth2_client = {
# ENABLE_AUTO_REGISTRATION = true;
# };
time = {
DEFAULT_UI_LOCATION = "Europe/Berlin";
};
other = {
SHOW_FOOTER_VERSION = false;
};
session.COOKIE_SECURE = true;
service = {
REGISTER_EMAIL_CONFIRM = true;
DISABLE_REGISTRATION = true;
};
actions = {
ENABLED = true;
};
indexer = {
REPO_INDEXER_ENABLED = false;
};
session.COOKIE_SECURE = true;
service = {
REGISTER_EMAIL_CONFIRM = true;
DISABLE_REGISTRATION = true;
};
actions = {
ENABLED = true;
};
indexer = {
REPO_INDEXER_ENABLED = false;
};
};
};
@@ -87,11 +89,11 @@
};
};
age.secrets."services/gitea/mailerPassword" = {
file = ../../../secrets/services/gitea/mailerPassword.age;
owner = "gitea";
file = ../../../secrets/services/gitea/mailerPassword.age;
owner = "gitea";
};
age.secrets."services/gitea/databasePassword" = {
file = ../../../secrets/services/gitea/databasePassword.age;
owner = "gitea";
file = ../../../secrets/services/gitea/databasePassword.age;
owner = "gitea";
};
}

111
modules/services/server/gitea_runner.nix
View File

@@ -1,59 +1,62 @@
{ lib, config, pkgs, ... }:
{
virtualisation = {
podman ={
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
lib,
config,
pkgs,
...
}: {
virtualisation = {
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
};
};
services.gitea-actions-runner.instances = {
serverrunner = {
enable = true;
url = "https://git.kabtop.de";
name = "Server runner";
tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
labels = [
"server"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
services.gitea-actions-runner.instances = {
serverrunner = {
enable = true;
url = "https://git.kabtop.de";
name = "Server runner";
tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
labels = [
"server"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
age.secrets."services/gitea/serverrunner-token" = {
file = ../../../secrets/services/gitea/serverrunner-token.age;
owner = "gitea-runner";
};
age.secrets."services/gitea/serverrunner-token" = {
file = ../../../secrets/services/gitea/serverrunner-token.age;
owner = "gitea-runner";
};
}

138
modules/services/server/hydra.nix
View File

@@ -1,77 +1,79 @@
{ lib, config, pkgs, ... }:
{
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.ci.kabtop.de";
listenHost = "127.0.0.1";
port = 3001;
notificationSender = "hydra@kabtop.de";
useSubstitutes = true;
minimumDiskFree = 50;
maxServers = 10;
};
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
lib,
config,
pkgs,
...
}: {
services = {
hydra = {
enable = true;
hydraURL = "https://hydra.ci.kabtop.de";
listenHost = "127.0.0.1";
port = 3001;
notificationSender = "hydra@kabtop.de";
useSubstitutes = true;
minimumDiskFree = 50;
maxServers = 10;
};
nix-serve = {
enable = true;
port = 5001;
bindAddress = "127.0.0.1";
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
};
nix = {
settings = {
cores = 5;
max-jobs = 1;
trusted-users = [
"hydra"
];
allowed-uris = [
"github:"
"https://github.com/"
"git+ssh://github.com/"
];
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
nix = {
settings = {
cores = 5;
max-jobs = 1;
trusted-users = [
"hydra"
];
allowed-uris = [
"github:"
"https://github.com/"
"git+ssh://github.com/"
];
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
}

82
modules/services/server/jitsi.nix
View File

@@ -1,46 +1,48 @@
{ config, pkgs, ... }:
{
services.jitsi-meet = {
enable = true;
hostName = "meet.kabtop.de";
config = {
enableWelcomePage = false;
prejoinPageEnabled = true;
defaultLang = "en";
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
config,
pkgs,
...
}: {
services.jitsi-meet = {
enable = true;
hostName = "meet.kabtop.de";
config = {
enableWelcomePage = false;
prejoinPageEnabled = true;
defaultLang = "en";
};
#services.jibri = {
# enable = true;
# config = {
# recording = {
# recordings-directory = "/var/lib/jitsi-meet-recordings";
# };
# ffmpeg = {
# #framerate = 30;
# #video-encode-preset = "veryfast"; # https://trac.ffmpeg.org/wiki/Encode/H.264#a2.Chooseapresetandtune
# h264-constant-rate-factor = 21; # https://trac.ffmpeg.org/wiki/Encode/H.264#a1.ChooseaCRFvalue
# };
# };
#};
services.jitsi-videobridge = {
enable = true;
openFirewall = true;
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
#services.jibri = {
# enable = true;
# config = {
# recording = {
# recordings-directory = "/var/lib/jitsi-meet-recordings";
# };
# ffmpeg = {
# #framerate = 30;
# #video-encode-preset = "veryfast"; # https://trac.ffmpeg.org/wiki/Encode/H.264#a2.Chooseapresetandtune
# h264-constant-rate-factor = 21; # https://trac.ffmpeg.org/wiki/Encode/H.264#a1.ChooseaCRFvalue
# };
# };
#};
services.jitsi-videobridge = {
enable = true;
openFirewall = true;
};
services.prosody.extraConfig = ''
log = "/var/log/prosody/prosody.log"
'';
systemd.tmpfiles.rules = [
"d /var/log/prosody - prosody prosody"
#"d ${config.services.jibri.config.recording.recordings-directory} 0750 jibri jibri -"
];
services.prosody.extraConfig = ''
log = "/var/log/prosody/prosody.log"
'';
systemd.tmpfiles.rules = [
"d /var/log/prosody - prosody prosody"
#"d ${config.services.jibri.config.recording.recordings-directory} 0750 jibri jibri -"
];
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
}

391
modules/services/server/matrix.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
let
{
config,
lib,
pkgs,
...
}: let
fqdn = "matrix.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
@@ -24,230 +26,237 @@ in {
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"${config.networking.domain}" = {
"${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."/_matrix".proxyPass = "http://localhost:8008";
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."/_matrix".proxyPass = "http://localhost:8008";
};
"${fqdn}" = {
enableACME = true;
forceSSL = true;
locations."/health".proxyPass = "http://localhost:8008";
locations."/_matrix".proxyPass = "http://localhost:8008";
locations."/_synapse/client".proxyPass = "http://localhost:8008";
locations."/".extraConfig = ''
locations."/health".proxyPass = "http://localhost:8008";
locations."/_matrix".proxyPass = "http://localhost:8008";
locations."/_synapse/client".proxyPass = "http://localhost:8008";
locations."/".extraConfig = ''
return 404;
'';
};
# "element.${config.networking.domain}" = {
# enableACME = true;
# forceSSL = true;
#
# root = pkgs.element-web.override {
# conf = {
# default_server_config = clientConfig;
# };
# };
# };
# "element.${config.networking.domain}" = {
# enableACME = true;
# forceSSL = true;
#
# root = pkgs.element-web.override {
# conf = {
# default_server_config = clientConfig;
# };
# };
# };
};
};
imports = [ ../../kabbone/mautrix-whatsapp.nix ];
imports = [../../kabbone/mautrix-whatsapp.nix];
services.matrix-synapse = {
enable = true;
settings = {
server_name = config.networking.domain;
public_baseurl = "https://matrix.${config.networking.domain}";
listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" ]; compress = true; }
{ names = [ "federation" ]; compress = false; }
];
}
];
server_name = config.networking.domain;
public_baseurl = "https://matrix.${config.networking.domain}";
listeners = [
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = ["client"];
compress = true;
}
{
names = ["federation"];
compress = false;
}
];
}
];
};
extraConfigFiles = [
config.age.secrets."services/matrix/synapse.yml".path
config.age.secrets."services/matrix/synapse.yml".path
];
};
systemd.services = {
matrix-synapse = {
requires = [ "postgresql.service" ];
};
matrix-synapse = {
requires = ["postgresql.service"];
};
};
services = {
mautrix-telegram = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
provisioning.enabled = false;
id = "telegram";
public = {
enabled = false;
};
};
bridge = {
sync_channel_members = true;
startup_sync = true;
public_portals = true;
double_puppet_server_map = {
"kabtop.de" = "https://kabtop.de";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
};
private_chat_portal_meta = "default";
backfill = {
disable_notifications = true;
};
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
loggers = {
mau = {
level = "WARN";
};
telethon = {
level = "WARN";
};
};
root = {
handlers = [
"console"
];
level = "WARN";
};
};
mautrix-telegram = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
provisioning.enabled = false;
id = "telegram";
public = {
enabled = false;
};
};
mautrix-signal = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-signal.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "signal";
as_token = "$MAUTRIX_SIGNAL_AS_TOKEN";
hs_token = "$MAUTRIX_SIGNAL_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
};
backfill = {
enabled = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
writers = [
{
format = "pretty-colored";
type = "stdout";
}
];
};
};
bridge = {
sync_channel_members = true;
startup_sync = true;
public_portals = true;
double_puppet_server_map = {
"kabtop.de" = "https://kabtop.de";
};
};
kabbone_mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-whatsapp.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "whatsapp";
as_token = "$MAUTRIX_WHATSAPP_AS_TOKEN";
hs_token = "$MAUTRIX_WHATSAPP_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_WHATSAPP_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
};
network = {
history_sync.request_full_sync = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
};
private_chat_portal_meta = "default";
backfill = {
disable_notifications = true;
};
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
loggers = {
mau = {
level = "WARN";
};
telethon = {
level = "WARN";
};
};
root = {
handlers = [
"console"
];
level = "WARN";
};
};
};
};
mautrix-signal = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-signal.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "signal";
as_token = "$MAUTRIX_SIGNAL_AS_TOKEN";
hs_token = "$MAUTRIX_SIGNAL_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
};
backfill = {
enabled = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
writers = [
{
format = "pretty-colored";
type = "stdout";
}
];
};
};
};
kabbone_mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-whatsapp.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "whatsapp";
as_token = "$MAUTRIX_WHATSAPP_AS_TOKEN";
hs_token = "$MAUTRIX_WHATSAPP_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_WHATSAPP_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
};
network = {
history_sync.request_full_sync = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
};
};
};
};
age.secrets."services/matrix/synapse.yml" = {
file = ../../../secrets/services/matrix/synapse.age;
owner = "matrix-synapse";
file = ../../../secrets/services/matrix/synapse.age;
owner = "matrix-synapse";
};
age.secrets."services/matrix/mautrix-telegram.env" = {
file = ../../../secrets/services/matrix/mautrix-telegram.age;
owner = "mautrix-telegram";
file = ../../../secrets/services/matrix/mautrix-telegram.age;
owner = "mautrix-telegram";
};
age.secrets."services/matrix/mautrix-whatsapp.env" = {
file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
owner = "mautrix-whatsapp";
file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
owner = "mautrix-whatsapp";
};
age.secrets."services/matrix/mautrix-signal.env" = {
file = ../../../secrets/services/matrix/mautrix-signal.age;
owner = "mautrix-signal";
file = ../../../secrets/services/matrix/mautrix-signal.age;
owner = "mautrix-signal";
};
}

56
modules/services/server/mealie.nix
View File

@@ -1,36 +1,36 @@
{ config, pkgs, ... }:
{
services.mealie = {
enable = true;
listenAddress = "127.0.0.1";
credentialsFile = config.age.secrets."services/mealie/credentialsFile".path;
settings = {
ALLOW_SIGNUP = "false";
DB_ENGINE = "postgres";
TZ = "Europe/Berlin";
};
config,
pkgs,
...
}: {
services.mealie = {
enable = true;
listenAddress = "127.0.0.1";
credentialsFile = config.age.secrets."services/mealie/credentialsFile".path;
settings = {
ALLOW_SIGNUP = "false";
DB_ENGINE = "postgres";
TZ = "Europe/Berlin";
};
};
services.nginx = {
enable = true;
virtualHosts = {
"mealie.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:9000";
};
services.nginx = {
enable = true;
virtualHosts = {
"mealie.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:9000";
};
};
};
age.secrets."services/mealie/credentialsFile" = {
file = ../../../secrets/services/mealie/credentialsFile.age;
owner = "mealie";
};
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
age.secrets."services/mealie/credentialsFile" = {
file = ../../../secrets/services/mealie/credentialsFile.age;
owner = "mealie";
};
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
}

116
modules/services/server/microvm.nix
View File

@@ -1,48 +1,55 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = {
autostart = [
name
];
vms = {
${name} = {
inherit pkgs;
config = {
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
[( ./gitea_runner.nix )];
imports =
[agenix.nixosModules.default]
++ [impermanence.nixosModules.impermanence]
++ [(./gitea_runner.nix)];
networking = {
hostName = "${name}";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "*";
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
};
};
};
};
users.users.${user} = { # System User
users.users.${user} = {
# System User
isNormalUser = true;
extraGroups = [ "wheel" ];
extraGroups = ["wheel"];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
enable = true;
settings.PasswordAuthentication = false;
hostKeys = [
{
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
}
];
};
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = {
systemPackages = with pkgs; [ # Default packages install system-wide
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
systemPackages = with pkgs; [
# Default packages install system-wide
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
persistence."/persist" = {
directories = [
@@ -100,23 +109,26 @@ in
mem = 4096;
#kernel = pkgs.linuxKernel.packages.linux_latest;
interfaces = [
{
type = "user";
id = "vm-${name}";
mac = "04:00:00:00:00:01";
} ];
shares = [{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
{
type = "user";
id = "vm-${name}";
mac = "04:00:00:00:00:01";
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/etc/vm-persist/${name}";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}
];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};

149
modules/services/server/nextcloud.nix
View File

@@ -1,35 +1,37 @@
{ config, pkgs, ... }:
{
services.nextcloud = {
enable = true;
hostName = "cloud.kabtop.de";
https = true;
package = pkgs.nextcloud32;
database.createLocally = false;
notify_push.enable = false;
enableImagemagick = true;
maxUploadSize = "512M";
caching = {
redis = true;
apcu = true;
};
imaginary.enable = true;
settings = {
log_type = "file";
logfile = "nextcloud.log";
overwriteprotocol = "https";
default_phone_region = "DE";
config,
pkgs,
...
}: {
services.nextcloud = {
enable = true;
hostName = "cloud.kabtop.de";
https = true;
package = pkgs.nextcloud32;
database.createLocally = false;
notify_push.enable = false;
enableImagemagick = true;
maxUploadSize = "512M";
caching = {
redis = true;
apcu = true;
};
imaginary.enable = true;
settings = {
log_type = "file";
logfile = "nextcloud.log";
overwriteprotocol = "https";
default_phone_region = "DE";
redis = {
host = "/run/redis-nextcloud/redis.sock";
port = 0;
};
"memcache.local" = "\\OC\\Memcache\\APCu";
"memcache.distributed" = "\\OC\\Memcache\\Redis";
"memcache.locking" = "\\OC\\Memcache\\Redis";
"enable_previews" = true;
"enabledPreviewproviders" = "
redis = {
host = "/run/redis-nextcloud/redis.sock";
port = 0;
};
"memcache.local" = "\\OC\\Memcache\\APCu";
"memcache.distributed" = "\\OC\\Memcache\\Redis";
"memcache.locking" = "\\OC\\Memcache\\Redis";
"enable_previews" = true;
"enabledPreviewproviders" = "
array (
'OC\Preview\PNG',
'OC\Preview\JPEG',
@@ -43,57 +45,56 @@
'OC\Preview\Krita',
'OC\Preview\HEIC',
)";
"maintenance_window_start" = "1";
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "localhost";
dbname = "nextclouddb";
adminuser = "kabbone";
adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
"maintenance_window_start" = "1";
};
services.redis = {
vmOverCommit = true;
servers.nextcloud = {
enable = true;
user = "nextcloud";
port = 0;
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "localhost";
dbname = "nextclouddb";
adminuser = "kabbone";
adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
};
services.nginx = {
services.redis = {
vmOverCommit = true;
servers.nextcloud = {
enable = true;
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
};
user = "nextcloud";
port = 0;
};
};
services.nginx = {
enable = true;
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
};
};
};
age.secrets."services/nextcloud/dbpassFile" = {
file = ../../../secrets/services/nextcloud/dbpassFile.age;
owner = "nextcloud";
};
age.secrets."services/nextcloud/adminpassFile" = {
file = ../../../secrets/services/nextcloud/adminpassFile.age;
owner = "nextcloud";
};
age.secrets."services/nextcloud/dbpassFile" = {
file = ../../../secrets/services/nextcloud/dbpassFile.age;
owner = "nextcloud";
};
age.secrets."services/nextcloud/adminpassFile" = {
file = ../../../secrets/services/nextcloud/adminpassFile.age;
owner = "nextcloud";
};
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
}

23
modules/services/server/ollama.nix
View File

@@ -1,9 +1,10 @@
{ config, pkgs, ... }:
let
ollamahostname = "llm.kabtop.de";
in
{
config,
pkgs,
...
}: let
ollamahostname = "llm.kabtop.de";
in {
virtualisation.oci-containers.containers."open-webui" = {
autoStart = true;
image = "ghcr.io/open-webui/open-webui:ollama";
@@ -11,17 +12,17 @@ in
"/var/lib/open-webui:/app/backend/data"
];
hostname = "open-webui";
ports = [ "8081:8080" ];
ports = ["8081:8080"];
};
services = {
nginx = {
virtualHosts = {
${ollamahostname} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8081";
};
${ollamahostname} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8081";
};
};
};
};

55
modules/services/server/postgresql.nix
View File

@@ -1,37 +1,39 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
# imports = [ ./postgresql_upgrade.nix ];
config,
lib,
pkgs,
...
}: {
# imports = [ ./postgresql_upgrade.nix ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
settings = {
max_connections = 200;
listen_addresses = "localhost";
password_encryption = "scram-sha-256";
shared_buffers = "4GB";
work_mem = "2GB";
maintenance_work_mem = "500MB";
autovacuum_work_mem = -1;
log_timezone = "Europe/Berlin";
timezone = "Europe/Berlin";
max_connections = 200;
listen_addresses = "localhost";
password_encryption = "scram-sha-256";
shared_buffers = "4GB";
work_mem = "2GB";
maintenance_work_mem = "500MB";
autovacuum_work_mem = -1;
log_timezone = "Europe/Berlin";
timezone = "Europe/Berlin";
};
authentication = pkgs.lib.mkOverride 14 ''
local all postgres peer
host giteadb gitea localhost scram-sha-256
host nextclouddb nextcloud localhost scram-sha-256
host synapsedb synapse localhost scram-sha-256
host whatsappdb mautrixwa localhost scram-sha-256
host telegramdb mautrixtele localhost scram-sha-256
host signaldb mautrixsignal localhost scram-sha-256
host mealie mealie localhost scram-sha-256
host onlyoffice onlyoffice localhost scram-sha-256
local onlyoffice onlyoffice peer
local hydra all ident map=hydra-users
local all postgres peer
host giteadb gitea localhost scram-sha-256
host nextclouddb nextcloud localhost scram-sha-256
host synapsedb synapse localhost scram-sha-256
host whatsappdb mautrixwa localhost scram-sha-256
host telegramdb mautrixtele localhost scram-sha-256
host signaldb mautrixsignal localhost scram-sha-256
host mealie mealie localhost scram-sha-256
host onlyoffice onlyoffice localhost scram-sha-256
local onlyoffice onlyoffice peer
local hydra all ident map=hydra-users
'';
identMap = ''
hydra-users hydra hydra
@@ -47,8 +49,7 @@
services.postgresqlBackup.enable = true;
age.secrets."services/postgresql/initScript.sql" = {
file = ../../../secrets/services/postgresql/initScript.age;
owner = "postgres";
file = ../../../secrets/services/postgresql/initScript.age;
owner = "postgres";
};
}

39
modules/services/server/postgresql_upgrade.nix
View File

@@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
environment.systemPackages = [
(let
# XXX specify the postgresql package you'd like to upgrade to.
@@ -8,26 +12,27 @@
# pp.plv8
]);
cfg = config.services.postgresql;
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
in
pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${cfg.dataDir}"
export OLDBIN="${cfg.package}/bin"
export OLDDATA="${cfg.dataDir}"
export OLDBIN="${cfg.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
}

71
modules/services/server/woodpecker.nix
View File

@@ -1,11 +1,14 @@
#
# CI/CD Woodpecker
#
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ # Default packages install system-wide
config,
lib,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
# Default packages install system-wide
woodpecker-server
woodpecker-cli
];
@@ -28,35 +31,35 @@
systemd.services = {
woodpecker-server = {
description = "CI/CD Pipeline Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wantedBy = ["multi-user.target"];
after = ["network.target" "postgresql.service"];
requires = ["postgresql.service"];
script = "${pkgs.woodpecker-server}/bin/woodpecker-server";
serviceConfig = {
User="woodpecker";
Group="woodpecker";
Environment="HOME=/var/lib/woodpecker";
EnvironmentFile=config.age.secrets."services/woodpecker/environment".path;
ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker";
NoNewPrivileges=true;
MemoryDenyWriteExecute=true;
PrivateDevices=true;
PrivateTmp=true;
ProtectHome=true;
ProtectSystem="strict";
ProtectControlGroups=true;
RestrictSUIDSGID=true;
RestrictRealtime=true;
LockPersonality=true;
ProtectKernelLogs=true;
ProtectKernelTunables=true;
ProtectHostname=true;
ProtectKernelModules=true;
PrivateUsers=true;
ProtectClock=true;
SystemCallArchitectures="native";
SystemCallErrorNumber="EPERM";
SystemCallFilter="@system-service";
User = "woodpecker";
Group = "woodpecker";
Environment = "HOME=/var/lib/woodpecker";
EnvironmentFile = config.age.secrets."services/woodpecker/environment".path;
ReadWritePaths = "/var/lib/woodpecker /var/log/woodpecker";
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ProtectControlGroups = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
LockPersonality = true;
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectKernelModules = true;
PrivateUsers = true;
ProtectClock = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
};
};
};
@@ -81,9 +84,7 @@
};
age.secrets."services/woodpecker/environment" = {
file = ../../../secrets/services/woodpecker/environment.age;
owner = "woodpecker";
file = ../../../secrets/services/woodpecker/environment.age;
owner = "woodpecker";
};
}